Another question: how to apply default authorizations?
I want to protect my API with authorization in Keycloak. However some
resources should be open to the public, accessible without any bearer token.
My idea was:
- create an "unregistered_user" composite role, containing some basic roles
- create a "guest" user, with the unregistered_user role
- on the API server, if there is no token in the request I will get the
roles of the guest user and user them. If there is a token, I'll use that
user permissions.
What do you think of that process?
Thanks